A large scale computer program provides a large number of functionalities that can be invoked by users and other entities (e.g. other programs). Some of these functionalities (e.g. functionalities that allow a user to set certain fundamental operating parameters of the program) may have significant impact on the overall operation and performance of the program, while other functionalities may have little or no impact. Because some of the functionalities may give rise to serious consequences, it is desirable to limit access to those and perhaps other functionalities to ensure that only the proper users have access to them. For this reason, most, if not all, large scale programs implement some type of access control mechanism.
Some large scale programs implement access control at the component level. More specifically, a large scale program may comprise a plurality of components, each of which may provide one or more functionalities. Access control logic may be coded into some or all of these components to enable them to control and limit access to the functionalities that they provide. An advantage of this component-level approach is that it is versatile. Because each component can implement its own access control logic, that logic can be customized to fit the needs of each individual component. A drawback of this approach, however, is that it can require significant amounts of code to be added to each component, which in turn, can significantly increase the cost of developing each component. In addition, it can lead to large amounts of redundant code.
Access control may also be implemented at the operating system level. Some operating systems provide access control modules that can be invoked by program components (e.g. the components of a large scale program) that run on top of those operating systems. Using the access control modules, an administrator can specify certain access control rules and policies. Then, at runtime, the components can invoke the access control modules of the operating system to have those modules enforce the rules and policies to implement access control on behalf of the components. This approach is advantageous in that it relieves the components of having to implement their own access control mechanisms. However, it is disadvantageous in that it renders the components operating system/platform dependent. Because of this dependency, the components, and hence, the large scale program, cannot be ported to and run on other operating systems/platforms.
As the above discussion shows, the current approaches to implementing access control in large scale programs have significant drawbacks. Consequently, an improved approach is needed.